Study says over 1m Windows PCs compromised

Page Tools

A study
by the German Honeynet Project estimates that over a million
internet-connected computers, the majority of which are running
Windows XP and Windows 2000, are infected with bots and can be
harnessed by crackers to launch attacks.

The group said that once an attacker had compromised a machine,
he or she normally installed an IRC (internet relay chat) bot -
also called a zombie or drone - on it. IRC is a means of real-time
communication over the net, either one to one or in forums called
channels.

The Honeynet Project is a non-profit research body of security
professionals dedicated to information security. The name derives
from the fact that they use computers called honeypots to attract
attackers; data is then collected and analysed.

The compromised machines form a botnet which can be remotely
controlled; each botnet consists of tens of thousands of machines
and can thus pose serious threats, the researchers said.

Given that huge number of people have broadband connections,
even a botnet of 1000 PCs would yield considerable bandwidth and
also, due to IP distribution, make filtering by those under attack
very difficult, the study said.

An analysis of the traffic captured showed that most of it
targeted ports used for sharing resources on machines running all
versions of Windows:

Port 445/TCP (Microsoft-DS Service) used for resource sharing
on machines running Windows 2000, XP, or 2003, and other CIFS based
connections. For example, it is used to connect to file
shares.

Port 139/TCP (NetBIOS Session Service) is used for resource
sharing on machines running Windows 9x, ME and NT. This port is
also used to connect to file shares.

Port 137/UDP (NetBIOS Name Service) is used by computers
running Windows to find out information about networking features
offered by another computer. Information retrieved can include
system name, name of file shares, and more.

Port 135/TCP is used by Microsoft to implement Remote Procedure
Call (RPC) services. An RPC service allows a program running on one
host to cause code to be executed on another host without the
programmer needing to explicitly code for this.

The researchers found that traffic on these four ports amounted
to more than 80 percent of the total traffic they captured. Using
tools like nmap, Xprobe2 and p0f, they found that most of the
affected machines were running Windows XP and Windows 2000, Systems
running Windows Server 2003 and other versions of Windows followed,
far behind.

They said that the botnets could be used to launch all kinds of
comon attacks - distributed denials of service, spamming, sniffing
traffic, keylogging, spreading new malware, Google AdSense abuse,
attacking IRC networks, manipulating online games or polls and mass
ID theft.

They said they had tracked over 100 botnets during the last four
months, some of which had died. During this period, they said
226,185 unique IP address had joined at least one of the channels
they tracked.

The botnets they tracked ranged in size from a few hundred PCs
to one with up to 50,000 compromised machines.